Configuring cloud connection for secure environments or proxy servers

Configuring cloud connection for secure environments or proxy servers

PrintFactory uses the LicenseServer service to connect to its cloud infrastructure. The LicenseServer acts as a proxy for all applications. By acting as a proxy there is no need to have Internet access on the production floor as long as the LicenseServer is reachable by the applications.

Required connections

In order to establish the bi-directional communication between the on premises and cloud applications the LicenseServer expects to have access to the following servers and ports:

External connections (from proxy):

  • api.aurelon.com, port 443 (https)
  • app.aurelon.com, port 443 (https)
  • order.aurelon.com, port 443 (https)
  • connect.aurelon.com, port 27499 (wss)
  • notification.aurelon.com, port 27489 (wss)

Software Manager will do a check using the LicenseServer if the connections can be established. The left green tick shows if the Software Manager (and therefore all other on-premises application) can reach the LicenseServer Proxy, the right tick shows if the LicenseServer can reach the cloud applications. A green tick shows successful bi-directional communication an amber tick means that it is allowed to send data to the cloud but not able to receive information back. The latter means that WebSocket connectivity is blocked (connect.aurelon.com).

If the right tick is amber colored then not all connections are successfully established. To find out what fails hover over the tick and a tooltip window will appear listing the details of each of the connections.

Common practice

A common set-up is to install the LicenseServer in a secure environment controlled by the IT department. The LicenseServer is installed on an edge server and the firewall is set-up only to allow access to and from the aforementioned servers on the interface that connects to the Internet and allow unrestricted access to the production floor or a firewall limited to ports:

  • UDP port 5436 (Proxy discovery)
  • UDP port 5437 (RIP discovery)
  • TCP port 5438 (RIP REST API and RIP Web UI)
  • TCP port 5440 (Workflow REST API)
  • TCP port 5536 (Configuration proxy)
  • TCP port 5470 (Internet proxy)
  • TCP port 9100 (PrintAgent API)

Secure communication and storage

All communication is by default encrypted between the proxy and the cloud. The connection acts as VPN between your local installation(s) and the secure cloud storage.

The data is redundantly stored on multiple devices across multiple facilities in an Amazon S3 Region close to your location.

Deep packet inspection

Certain routers can apply deep packet inspection for security protocols. This may cause a problem as PrintFactory can no longer establish a secure connection properly to the cloud servers. To provide deep packet inspection on SSL connections, intermediate certificate (issued by the router) is used to allow the router to intercept the traffic between PrintFactory and the cloud. This is also known as “man-in-the-middle”, when traffic is decrypted, analyzed and encrypted back. This establishes a non-secure chain and rejected by PrintFactory in incorrect router configuration. To solve this situation there are 2 possible routes:

  1. White list *.aurelon.com and *.printfactory.cloud
    This is the preferred method as the traffic is secure and unmodified.
  2. Install the router certificate
    Install the router-issued intermediate certificate authority at the computer where LicenseServer/Proxy is installed. This will enable PrintFactory software to accept router’s intermediate certificate and the router to decrypt the PrintFactory traffic. Be sure that the router does not rewrite the traffic as it may malforme it and the communication is still be rejected.

Reporting only set-up

An exceptional case is to have a webproxy server, allowing to report statuses and statistics to the cloud but not receiving automation instructions from the cloud. Therefore using proxies is discouraged, the LicenseServer is a proxy by itself and shields the production floor from direct Internet as long as the LicenseServer has direct Internet access.

By default, the LicenseServer application tries to connect to the Internet and also tries to establish the Proxy settings automatically.

In case the proxy settings are automatically detected then the file “C:\Users\Public\Hub\ComputerConfig.xml” is read. The proxy settings can be defined into this file, using the particular proxy, port, username and password of your network.

You can find below an example for this “ComputerConfig.xml” file:

<?xml version="1.0"?>
<ComputerConfig>
    <ProxySettings>
       <Proxy>www.google.com</Proxy>
       <Port>123</Port>
       <User>User</User>
       <Pass>Pass</Pass>
   </ProxySettings>
</ComputerConfig>

    • Related Articles

    • License/Proxy server needs upgrade to the latest version

      When you see the message License/Proxy server needs upgrade to the latest version, it means that your license server on another computer is not updated to the same version as the application you are trying to run. In this example, the user is trying ...
    • Software Manager – Connectivity

      Connectivity Open Software Manager to find the current status of your Cloud connectivity: With two green ticks the computer you are working on has a connection to the license server and the license server has a connection to the Cloud. Click the ...
    • Cloud Certification

      By default a QR code is printed next to the Certification strips. This feature allows you to : certify jobs remotely share the certification results online pull the certification results via a mobile scannable QR code still certify jobs that are no ...
    • Release notes Cloud

      Cloud release notes Current version can be found in app.printfactory.cloud in the footer. Version 6.96.0 - 2024-12-15 Performance updates Job list has periode filter which looks back 2 weeks on Creation Date of the Jobs. Periode can be modified ...
    • Color bars option in Cloud Nesting Queues

      Color bars can also be added to Cloud nesting Jobs. They can be added either on one or both sides of the nested job and define the width of the total bars, similar to the Layout function and The difference with the Layout feature is that Color bars ...